AuthCrunch Secrets Plugin for AWS Secrets Manager Integration.
In "IAM" section of AWS Console, create AuthCrunchSecretsManagerAccess IAM Policy.
Change 123456789012 with your own account number.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:*:123456789012:secret:authcrunch*"
},
{
"Effect": "Allow",
"Action": "secretsmanager:GetRandomPassword",
"Resource": "*"
}
]
}Next, create a role for "EC2" AWS Service and attach the AuthCrunchSecretsManagerAccess to it.
Then, attach the IAM role to an EC2 instance.
From the EC2 instance, run the following command to list secrets.
aws secretsmanager list-secretsThe output for an account without any existing secrets follows.
{
"SecretList": []
}Install bcrypt-cli for password hashing:
go install github.com/bitnami/bcrypt-cli@latestInstall pwgen for password generation:
sudo yum -y install pwgenGenerate a password:
$ pwgen -cnvB1 32
rbrH97m9bpbk3qRphHFNM9ksJfRcWdvr
Next, hash the password and the api_key:
$ echo -n "rbrH97m9bpbk3qRphHFNM9ksJfRcWdvr" | bcrypt-cli -c 10
$2a$10$iqq53VjdCwknBSBrnyLd9OH1Mfh6kqPezMMy6h6F41iLdVDkj13I6
Repeat the same thing for api_key.
$ pwgen -cnvB1 32
kqvc7cgk44dtpX9nXx4NL9krH4g7fqdJ
$ echo -n "kqvc7cgk44dtpX9nXx4NL9krH4g7fqdJ" | bcrypt-cli -c 10
$2a$10$TEQ7ZG9cAdWwhQK36orCGOlokqQA55ddE0WEsl00oLZh567okdcZ6
First, create a set of credentials for a management user, jsmith.
Next, browse to "AWS Secrets Manager" to add a secret by selecting secret type as "Other type of secret (API key, OAuth token, other.)" and put the following key values.
username:jsmithpassword:bcrypt:10:$2a$10$iqq53VjdCwknBSBrnyLd9OH1Mfh6kqPezMMy6h6F41iLdVDkj13I6api_key:bcrypt:10:$2a$10$TEQ7ZG9cAdWwhQK36orCGOlokqQA55ddE0WEsl00oLZh567okdcZ6email:jsmith@localhost.localdomainname: 'John Smith`
Use aws/secretsmanager for the "Encryption key".
Set secret name to authcrunch/caddy/users/jsmith and description
to Caddy User Credentials for jsmith
After the creation of the secret, list secrets with aws secretsmanager list-secrets again.
{
"SecretList": [
{
"Name": "authcrunch/caddy/users/jsmith",
"Tags": [],
"LastChangedDate": 1673135119.189,
"SecretVersionsToStages": {
"278a2e61-f3e3-4280-a444-333d7186d5ce": [
"AWSCURRENT"
]
},
"CreatedDate": 1673135119.15,
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:authcrunch/caddy/users/jsmith-tz6d06",
"Description": "Caddy User Credentials for jsmith"
}
]
}Next, retrieve the previously created secret:
aws secretsmanager get-secret-value --secret-id authcrunch/caddy/users/jsmithThe expected output follows:
{
"Name": "authcrunch/caddy/users/jsmith",
"VersionId": "278a2e61-f3e3-4280-a444-333d7186d5ce",
"SecretString": "{\"username\":\"jsmith\",\"password\":\"bcrypt:10:$2a$10$iqq53VjdCwknBSBrnyLd9OH1Mfh6kqPezMMy6h6F41iLdVDkj13I6\",\"api_key\":\"bcrypt:10:$2a$10$TEQ7ZG9cAdWwhQK36orCGOlokqQA55ddE0WEsl00oLZh567okdcZ6\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": 1673135119.183,
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:authcrunch/caddy/users/jsmith-tz6d06"
}Next, follow the same proceduce as with jsmith to generate the shared key
to be used for JWT token signing and verification.
Browse to "AWS Secrets Manager" to add a secret by selecting secret type as "Other type of secret (API key, OAuth token, other.)" and put the following key values.
id:0usage:sign-verifyvalue:b006d65b-c923-46a1-8da1-7d52558508fe
Use aws/secretsmanager for the "Encryption key".
Set secret name to authcrunch/caddy/access_token and description
to Caddy Access Token Secret